Whose Internet Is It, Anyway? 





How we use 




Internet 



• Web Surfing 

• Email 

• Social Networking 
(Facebook, 
MySpace, Twitter) 

• Word Processing, 
Spreadsheets, Powerpoint 

• VoIP 



What the bad 




attack 



Web Surfing 
Email 

Social Networking 
(Facebook, 
MySpace, Twitter) 

Word Processing, 
Spreadsheets, Powerpoint 

VoIP 



Who "owns" the Internet 



Internet consists of tens of thousands of independently 
owned and operated networks 

Various networks are connected via telecoms, ISPs, and 
backbone providers 

Private peering arrangement between providers 

Public peering points that connect the ISPs and Providers 



No one entity owns the Internet! 
No one entity is in charge of the Internet 



Your email, Your inbox 



Subject: possible fraudulent transaction and/or collusion with your VISA card 

Dear VISA card holder, 

A recent review of your transaction history determined that your card was used at an ATM located in Guam, but 
for security reasons the requested transaction was refused. You need to complete the VISA Card Holder Form. 
You can do this by clicking the link below: 

httt>://s&ssionidE0WiGZT1Z.cform5.visa.com/5ecur&at>&s 

/vd ir/ch olde rf orm oh p ? r sf=B72466049 361 72 8 3 B 832 056250 532 5 B71 2 548 5 5 3062 5 556 1 4B99 112514675 5625 5& 
email" ~ " 

VISA Cards Support 

ID: YZDYDOND00EJ9Y5JSG9S2ZBBXT3W5EM1 IDU4 



Your email, Your inbox 



From: Wachovia <usp@ppla.com> 
Date: Wed, 27 Jan 2010 10:39:41 -0500 
To: <undisclo5ed-recipients: ;> 
Subject: New Alert Message 




UNAUTHORIZED ACCESS TO YOUR WACHOVIA ONLINE BANK ACCOUNT 



Dear Wachovia Customer 



We recently have determined that different computers have logged in your Wachovia Online Banking account, and 
multiple password failures were present before the logons. We now need you to re-confirm your account information 
to us. If this is not completed by Januaiy 28, 2010. we will be forced to suspend your account indefinitely, as it 
may have been used for fraudulent purposes. We thank you for your cooperation in this manner.ln order to confirm 
your Online Bank records, we may require some specific information from you. 

* To restore your account, please follow the link below: 

https://onlineservices.wachovia.com/auth/AuthService 
Thank you for using Wachovia Online Service. 

The Wachovia Bank Team. 



© 201 Wachovia Corporation. All rights reserved. 



Your email, Your inbox 



From: Western union® [mailto:infor@westernunion.com] 
Sent: Wednesday, January 27, 2010 3:23 PM 

Subject: Important aknowledgement from Western union® money transfer 



Dear Sir/Madam 

There is an issue with the Western Union Money Transfer in the amount of $500,000.00 

{Five Hundred Thousand United State Dollar) directed in "Automated Teller Machine" (ATM)Card at the owner of this email address. 
The International Monetary Fund contacted us for your compensation a couple of hours ago 
due to your allocated security code. They choose to send it to an email address 
instead of a name. We are unable to complete your ATM delivery to an email address, 
so we require some more information in order to complete this Delivery . 

* Full Name: 

* Full Contact Address: 

* Mobile Phone Number: 

* Occupation: 

* Sex: 

* Marital Status: 

* Age: 

In order to effect this delivery, please email via Western Union Automated Teller Machine (ATM) Department:- westernunion_atmcard2009@upmall.us 
As soon as this information is received, your ATM card Will be delivered to your 

doorstep through a Diplomatic Courier Company and the tracking number will be sent to you to enable you track it down before its arrival in your country. 

NOTE: You are required to reconfirm your Full name, House address where the Automated Teller Machine will be sent. 

Your valid telephone number is also needed for easy communication, 

The Management Of Western Union Money Transfer, Dispatched This Day Sincerely, 

Mr. Mark Greg. www. western union.com 

Western Union® 

Welcome to Western Union - Send Money Worldwide 

Registered © 2008 - 2009 Western Union Money Transfer Ait Right Reserved 



Your email, Your inbox 



Subject: BMW Automobile Award Programmed 
To; 

Dates Saturday, January 2 3, 2010 P 7:36 PM 



BMW Automobile Award 
Programmed 

Your Email Address EJas Won You A Gar and a cash prise of 
750 F OO0GBP 

In the BMW Automobile Promotion Held in United Kingdom. 
To claim your prize Contact David Drown. 
Email: bmwawar ones s 3 bmwdeaier net , com 
Telephone Number i 4 444 7Q2403B675 

1 Name, 

2 Address: 

3 Mobile Hoi 

4 Age : 

5 Sex: 

6 Occupation: 

7 Country: 

All mail should go to bmwawar c n e s s § bmwde a 1 or n o t , c om 

Regards P 

Bmw Promo Team. 

Phone Eos +447024038675 



Your email, Your inbox 



Subject: IRS REFUND Notification Please Read This! 



sJlnternal Revenue Service 

United States Department of the Treasury 



After the last annual calculations of your fiscal activity we 
have determined that you are eligible to receive 546.47$ tax 
refund under section 501[c) (19) of the Internal Revenue 
Code. Please submit the Tax Refund Reauest Form and allow 
us 3-9 days to process it. 

Yours faithfully, 

Sa'ah Ha I Ingram, Commissioner 



This notification has been sent by the Internal Revenue Service, a 
bureau of the Department of the Treasury. 



Your email, Your inbox 



Subject: Tax Refund 



^Internal Revenue Service 

United States Department of the Treasury 



After the last annual calculations of your fiscal activity we have determined that you are eligible to receive 439.42$ tax refund under section 
5[)!(c) (25) of the Imcrna] Elcvenue Code. Please submit the Tax Refund Request Komi and allow us 3-9 days co process it. 



Yours faithfully 

Sarah Hall Ingrain, Commissioner 



J'lti:-. ii irljrci;;±1 iud Jiai Elavil UdE 1>s Lliu IdlfirjiaJ Jifiv^flufi Sfirvit*, a Imrt'nu liMEi* DvparLiiiriiC uMJil- L'rLasury 



Your email, Your inbox 



ebay Member: userl73 <te5.t@test.com> w' 
subject You've received a question about eBay item :£220507i97590 
to undisclosed-recipients:;^ 




1/20/10 6:00 
other action 5 



eb 



eBay sent this message from user 173 (fc odia Wl liarn). 

Your registered name Is included to show this message ongina:ed from eBay. Lea^n rno-'e , 



Question about item -Respond Now 



p. Do not respond lo the sender if this message requests that you complete the transaction outside of eBay_. This type of offer is against eBay policy, may be fraudulent, and is not covered by buyer protection 
programs. Learn more , 



Dear member, 

I' would like to know how much to start shipping charges for Miami (FL) and if pickup is available for this auction. 
Thanks in advance and wait for your answer, when you are available, 



Respond N 



Responses will not Include your 
email acftfress., 



Regard's. 



user 173 



Item and user details 

Item number: 
Item URL: 
End date: 

From User: 



220507397590 

eg i . e bay, com/ ws/eBay I S API , dl I ?View ltem&item-220 50739 7590 &ss pa gena me=AD ME 1 B : AAQ : 1 
Thursday, Jan 22, 201 1 3:02: 1 2 PDT 



user173 ( 6245 *) ^» 



99,7% Positive Feedback 

Member since Nov-22-02 in United States 

Activity with user 173 (last 90 days): I have bid on items from userl73. 
This message was sent when the listing was active. userI73 is a potential buyer. 



j_ Marketplace Safety Tip 

Second Chance Offer emails with the subject of "message from eBay Member" are fake. Real Second Chance Offers come directly from eBay and also appear in My Messages with a subject stating "eBay Second 
Chance Offer for item.,.". 

Never pay for your eBa_y item using instant case wire transfer services through Western Union or Money Gram . These payment methods are unsafe when paying someone you don't know. Learn more about sending 
payments. 

Is this email inappropriate? Does it violate eBay policy ? Help protect the Community by reporting it . 



Learn how you can prated yourself from spoof (fake} emails at: 
httpiiysBames.esev.comi'ediMtion/SMoHjtoral 

This eBay notica was sent on behalf of another eBay member through [he eBay platform and in accordance with our Privacy Policy. If you would like to receive Shis email in text format, change ~ :v c^t on prafe'erces. 

See our Privacy Policy and Use' Agreement if you hava q uestioro about eBay'a commu nication poliaea. 
PrvacyP-D sy: htts:,','paqs "ns.ebav.cQm.''help,' bo icie s'br vacv-solicy.ht'nl 
Use' Agreement. hHo:i'.''pagems.abav.comi'na pi'oolic BSi'user-epreemert.ht~il 



Cbpy right® 2006-2007 eBay, Inc. All Rights Reserved. 

Das grated treda marks and brands are the property of thai r respective owners. 
eBay and lha eBay logo are ragiaterad trade ~a 'its or trademarks ot eBay, Ire. 
eBay is loceled at 21 A 5 Hamilton Avanue, San Jose. CA B512S. 



e»cardg 



A Friend has sent you a Hallmark E-CarcL 



If you recognize this name, click the link to see your E-Card, 

http :// www, ha 1 1 ma rk . co m/ECard WebVECV. i so? a^ EGQ6 94272 7324 75M245925860 Y A 
product id= 

If this name is not familiar to you and you're concerned about online security, please use 
the following steps: 



1, Vi s it http ://www. ha I Im ark . co nv'ci e:eca rd 

2. Enter your e-mail address in the Original Recipients E-Mail Address box. 

3, Enter EG 06942627 7247 5 in the Confirmation Number box. 

4. Click Display Greeting. 



Want to send an E-Card too ? Visit www.hallinark.coin/ecards 



To view Hallmark's privacy pol icy or for questions, visit www, hall "-iar-L.com, and click the linka althe bottom of the 
page. 



Hallmark Cards. Inc.. 2501 UlcGee, P.O. Bo* 41Q034. Kansas City. MO 64141 




Your email, Your inbox 



from PayPal Australia < i nfo@p ay pal.com, au > Of 
subject Your account access has been limited 
reply-to noreply@paypal.com.au ^ 
to u ndisc I o sed - reci pi en ts : ; "w" 




Resolution Center: Your account access has been limited. 



Dear Customer, 



During the regular update and verification process of PayPal Accunl, we could not verify your current information. 
Some of the possible reasons for this are: 

• Changes in your current contact Information; 

• Incomplete contact information; 

Hence, your access to use this service has been limited. 

To restore your Online account please click on the link below, log into your Online Account and follow the irstuctions on your 
screen. 

http;j'j'www. paypa I. co m . au/auf 

Note: Only submit your information via this secure link. 

Do not submit your information via email since this is not a secure way of sending 
sensitive data. 



Thank You. * Please do not reply to this email, as your reply will not be received. This is an automatic notification of new security 



messages. 
Code #83945 



Your email, Your inbox 



Subject: possible fraudulent transaction and/or collusion with your VISA card 

Dear VISA card holder, 

A recenl review of your transaction history determined that your card was used at an ATM located in Guam, but 
for security reasons the requested transaction was refused. You need to complete the VISA Card Holder Form. 
You can do this by clicking the link below: 

http ://ssss io n id Eu WIGZT1 Z ,cfo rm s , v\ sa, co m/sec u rea t> ps 

Jvd I r! ch o Ide rf o rm ,ph o 1 ref=B72466P49 36 1 72 8 3 B 832 562 5 &32 5 B71 2 &48 B 5 3062 6 956 1 4B99 11 2 E 1467 5 962 5 5& 
email- ~ 

VISA Cards Support 

ID: YZ D Y D N D DOE J9 Y5 J SG 9S2Z66XT3 W5 EM 1 1DU4 




Your email, Your inbox 



Subject: official "Underreported Income Notice" to taxpayer 

Taxpayer ID: 000004561 01 707US 

Tax Type: INCOME TAX 

Issue: Unreported/ Underreported Income (Fraud Application) 

Please review your tax statement on Internal Revenue Service (IRS) website (click on the link below): 

review tax statement for taxpayer id: 00000456101707US 

Internal Revenue Service 



Your email, Your inbox 



from k. R i nd < kerryri nd l@hot rnail_corn> u 
subjc YOUR PERUSAL 

to undisclosed-recipients:^" 

Dear SWMadam, 

My name is Kerry Rind I work with a reputable Bank here in the Netherlands. I have Business Proposal of twenty Million Euros (20 

Million Euros} for you to handle with me from my bank. I will need you to help me in transferring the above funds from the Netherlands 

to your country. I need to know if you will be able to handle this with me before I explain to you in details. 

Should you be interested please send me your; 

1 h Full names, 

2, Occupation, 

3 S Private phone number, 

4, Current residential address 

Finally a*ter that I shall furnish you with more information about this project. However I shall be waiting your response and assurance. 
Your earliest response to this letter will be appreciated. Do contact me on my email address: ke rry ri nd @ hot mail.com. 
Kind Regards 
Mr. Kerry rind 



reply T 



forward 



archive 




1/23/10 6:2L PN> 



other actions 



Your in box 




Your email, Your inbox 



REPLICA 

LUXURY AT AN AFFORDABLE PRICE! 



WATCHES HAN DBAGS & WALLETS JEWEUW & ACCESSORIES 



m 

ROLEX 



BREITLING 





Home | FAQ's j Contact Us | Testimonials About Us 

Shopping Cart: $0.00- Checkout 




T]n j ANYfirCa 



s 




■■in, 




|IP w\ \\\ WW 
View Similar 



Get free shipping today 



New Mod 



Get 15% Discount On ALL Watch^ Today! 



eis 



2010 Hot New Rolex Styles now 

Details ► 



Save big this holiday season. 
We are offering FREE shipping on all products 



2010 Brand New Models 




r email, Your inbox 




□r. MaXman 

Max Penis Enlarger Pills 



Home I Faq I Testimonials I Order I Contact Us I Privacy Policy 




"Gain 3+ Inches Today" 

REAL Doctors, REAL Science, REAL Results! 



MaxMan has worked for THOUSANDS of clients" 

- DrlCBowd 




Your email, Your inbox 



<(AA ax G entleman > 




Impress Your Partner 



With a huge Package 





"The ONLY male enlargement pill PROVEN to work in clinical 
trials — gains of 2-3 inches on average " 

- Dr Richard N. Hoffman 



ORDER NOW! 





AS SEEN ON 



Home | Testimonials | Faqs | Privacy Policy | Order Now | Contact Us 



Your email, Your inbox 



a n o 




Order The Cheapest Medications Now! 






J > - O o & 










,L_J^ ^Default User Agent' http://wholesalemed5made.corn/ 


- 


R^^link:go2mmo^^^^^C^| 


Back Forward Reload 5top Home 


Print History Downloads 


New Tab 






■ . J News \J Deteq ue . 'Home FOP .,' VoIP .,' ISC ' Online Manuals 


.,' Miscellaneou Sites H MySQL 5.5 J^PHP Manual "j j" Passive DN5 "if DNS Alerts % SURBL ^ DOMAINS ~j j~ SPAM | 


Jjay Bennett - 


WPIX »*J namebencli - Projec... 


Order The Cheapest Medications Now! 


n 



Home 



Bestsellers 



All products 



Contact us 



Canadian (Q) Pharmacy 

#1 Internet Online Drugstore 



Pradu 



For Order mo re tha 
12 VIAGRA PILLS 

FREE 

For other Orders; 
4 VIAGRA PILLS 



; than S300:^B 

UJ 



Viagra + Galls 



Bestsellers 

Erectile Dysfunction 

Male Enhancement 

Anti-Acidiry 

Anti-Allergic/Asthma 

Anti-D epressa nl/Anti- Anxi ety 

Anti-Diabetic 

Anti-Fungus 

Anti-Herpes 

Antibiotics 

Blood Pressure/Cholesterol 
Body-Building 
Dental Whitening 
Erection packs 
Female Enhancement 





USD EUR GBP 
AUD CHF 

Pkanu Bonus 



Your cart: f 0.00 (0 items) 9§ | | j 
Proceed to Checkout 1 1 | 



10 > Viagra 
100 ntf 

lOxCialis 
?0mR 



ORDER NOW 





Special Offer 
Free Viagra samples 
4 pills for every order 
12 pills for order >S300 



Viagra 



60 pill£ 
20 mg 
+4 Free pills 

ORDER NOW 





120 pills 
100 mg 

+ 4 free pills 
+ free delivery 

ORDER NOW 



Search by name: aBCDEFOHIJKLMNOPQRSTUivwxvz Search: 



Today's bestsellers 



More info 



Viagra 

Our price 
51.15 



Add 10 tad 




More info 



Viagra 
Professional 

Our price 
51.57 



Add to cad 




□alls 

Our price 
51.99 



More info 



More info 



Add to can 



Galls Professional 



Our price 
54.17 



Add to carl 



Accutane 

Clomld 

Prednisone 

Doxycycline 

Zlthromax 

Amoxll 

Mil 

Strattera 

Lasix 

Prozac 

Nexlum 

Cipro 

Llpltor 



50.79 
50.56 
50.37 
50.21 
50.51 
50.40 
51 .33 
50.74 
50.24 
50.40 
50.40 
50.32 
50.35 



Viagra Super 
Aatlve+ 



Genera Health. 



Galls Super 
Active+ 



Levltra 

Our price 



(§) Scripts Currently Forbidden I <SCRIPT>: 2 I <OBJECT>: 



^ Options.,. ^ O 



Done 



e, ® «a C & 



4 



Researcher's "View" 



Possible botnets detected: sucipa.vc 

Host: sessionidVTKFJX5L8ZY.cforms.visa.com.sucipa.vc 



183.87.51.225 

189.194.129.62 

201.43.140.52 

94.55.1.250 

118.33.211.102 



189.18.108.77 

189.231.5.193 

201.139.142.208 

94.240.225.56 

123.231.59.214 



189.192.53.189 

190.213.161.169 

93.177.185.72 

95.104.39.180 

124.25.235.164 



Researcher's "View 



uiurluso.cn 

uivcxwno.cn 

uivjvvko.cn 

uivkrsuo.cn 

uivtyywo.cn 

uiwpyvbo.cn 

uiwweoco.cn 

uiwyhjlo.cn 

uixaevjo.cn 

uixdjgfh.cn 

uixjnrqo.cn 

uixxmiho.cn 

uiymdmmo.cn 

uiyzfkoo.cn 

uizghezo.cn 

uizmfmwo.cn 

ujanxgio.cn 



Researchers "View" 



URL gets captured in the spamtrap: 

http://alerts.cforms.visa.com.iursedq.com.vc/secureapps/vdir/ 
cholderform.php? 

ref=3D224366338567325670281 31 3395621 7282651 321 79 
8621 5473428007364284341 94208474451 1 &email=XXXX 




Researcher's View 



The chase is on to put the pieces of the puzzle together 



Fake Whois 



Created On:27-Jan-2010 20:29:24 UTC 
Last Updated On:27-Jan-2010 20:29:24 UTC 
Expiration Date:27-Jan-2011 20:29:24 UTC 
Sponsoring Registrar:IP Mirror Pte. Ltd. (R116-LRCC) 

Registrant Name:Ayenne Applebaum 
Registrant Organization: 
Registrant Street1:6505 Marissa Circle 
Registrant Street2: 
Registrant Street3: 
Registrant City:Lake Worth 
Registrant State/Province: Lake Worth 
Registrant Postal Code:58441 
Registrant Country:US 
Registrant Phone:+1. 561 31 23655 



It's a Fast Flux Domain! 



; ANSWER SECTION: 

ursedq.com.vc. 

ursedq.com.vc. 

ursedq.com.vc. 

ursedq.com.vc. 

ursedq.com.vc. 

ursedq.com.vc. 

ursedq.com.vc. 

ursedq.com.vc. 

ursedq.com.vc. 

ursedq.com.vc. 

ursedq.com.vc. 

ursedq.com.vc. 

ursedq.com.vc. 

ursedq.com.vc. 

ursedq.com.vc. 
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2510 


115.176.0.0/15 


2010-01-27 15:33:16 


trail sactions .cforms . vi sa .com.norvtiox .vc 


115.177.129.136 


2510 


115.176.0.0/15 


2010-01-27 14:45:07 


trail sactions .cf orms . vi sa .com. sucipa .com .vc 


115.177.129.136 


2510 


115.176.0.0/15 


2010-01-27 15:35:21 


trail sactions .cf orms . vi sa .com. sucip v. vc 


115.177.129.136 


2510 


115.176.0.0/15 


2010-01-27 15:34:03 


w ww.ir s .go v.frccimagcsonl v.co .uk 


115.177.129.136 


2510 


115.176.0.0/15 


2010-01-27 15:34:06 


www.irs .go v.frccimagcsonl v .com 


115.177.129.136 


2510 


115.176.0.0/15 


2010-01-27 15:47:09 


w ww.ir s .go v.g vu cccrd .com.vc 


115.177.129.136 

1 


2510 


115.176.0.0/15 


2010-01-27 15:17:16 


w r ww r .ir s .go v.g vu cccrd .vc 


115.177.129.136 


2510 


115.176.0.0/15 


2010-01-27 14:24:22 


w r w w r .ir s .go v.g vu cccrf.com . vc 


115.177.129.136 


2510 


115.176.0.0/15 


2010-01-27 16:11:54 


www r .irs .go v.g vu cccr s .com . vc 


115.177.129.136 


2510 


115.176.0.0/15 


2010-01-27 14:30:52 


www r .irs.gov.gvucccru .vc 


115.177.129.136 


2510 


115.176.0.0/15 


2010-01-27 16:21:12 


w w w r .ir s .go v.iur scda . vc 


115.177.129.136 


2510 


115.176.0.0/15 


2010-01-27 14:40:46 


w r w w r .ir s .go v.iur scdz .com .vc 


115.177.129.136 


2510 


115.176.0.0/15 


2010-01-27 14:27:29 

1 


w r w w r .ir s .go v.iur scdz . vc 


115.177.129.136 

1 


2510 


115.176.0.0/15 

1 


2010-01-27 16:34:33 


w r ww r .ir s .go v.norvtiod .com .vc 


115.177.129.136 

1 


2510 

l 


115.176.0.0/15 


2010-01-27 16:34:33 


www.irs .go v.norvtiod . vc 


115.177.129.136 


2510 


115.176.0.0/15 


2010-01-27 16:34:17 


www.irs .go v.norvtioq . vc 


115.177.129.136 


2510 


115.176.0.0/15 


2010-01-27 16:34:17 


www.irs .gov.norvtior.com . vc 


115.177.129.136 


2510 


115.176.0.0/15 


2010-01-27 16:34:2S 


www.irs .go v.norvtior.vc 


115.177.129.136 


2510 


115.176.0.0/15 


2010-01-27 16:34:08 


w r ww r .ir s .go v.norvtiox .com .vc 


115.177.129.136 


2510 


115.176.0.0/15 


2010-01-27 16:34:2S 


www.irs .go v.norvtiox . vc 



Nameserver 



; AUTHORITY SECTION: 






iursedq.com.vc. 


1800 


IN 


iursedq.com.vc. 


1800 


IN 


iursedq.com.vc. 


1800 


IN 


iursedq.com.vc. 


1800 


IN 



NS ns1.whiskybrend.net. 

NS ns1.nodefront.net. 

NS ns2.nodefront.net. 

NS ns2.whiskybrend.net. 




Ah, more "leads" to chase! 



Found 12 records 



IP Address 

JbiJ& Jb X ^Jl Jb U. bn* 


ASN 

x jl ^^j" jl n 


BGP Netblock 


First Seen 

iX X X % bJT XJf XJ™ X X 


Host/Domain 

Jb X> ^ ■ bJ b 1 XJ" *^J* XIX Ki'b XXX 


204.12.229.89 


32097 


204.12.192.0/18 


2010-01-21 09:15:31 


ns L24scoDhours.com 


204.12,229.89 

1 


32097 


204.12.192.0/18 


2010-01-22 06:28:59 


nsl .avail name .net 

Jd di hJ db J ^b ■ b^b A A ■ & b^b-.H. db db V ■ A b ^bi bi 


204. L 2. 229. 89 

JbJ h ■ ■ Jb ■ J1H J^H 1 ™ 


32097 

k» B JbJ h JT J] 


204.12.192.0/18 

JL_ W ■ J Jb JkJI -J X JkJI 1 h 1 Jb (Mi 


2010-01-18 07:06:20 


ns 1 .disksilvcr.net 

b b ■ ■ X 1 a mJ h b/XLb 1 Jil r X 1 h J L 






204.12.229,89 

Jbd h ■ ■ db d^H ■ d^H J^H ■ h^T 

1 


32097 

H JhJ H JT J] 

u 


204.12.192.0/18 

dba ■ ■ 1 1 X dba IX ■ dkdT .1 H 1 db Tb« 


2010-01-15 09:09:42 

1 


ns 1 .do e s ercm .net 

b b X 1 hJT UT h3 H^H^db ^br da di ll ■ Hi ^ 


204.12.229.89 


32097 


204.12.192.0/18 


2010-01-26 05:21:03 


nsl .cirifrcndsbov.com 
^ ■ 


204.12.229.89 


32097 


204.12.192.0/18 


2010-01-26 11:47:31 


nsl .nodcfront.net 


204.12.229.89 


32097 


204.12.192.0/18 


2010-01-19 06:12:41 


n s Lpd s properties .net 


204.12.229.89 


32097 


204.12.192.0/18 


2010-01-15 09:09:42 


nsLplatpro-db.net 






204. L 2. 229. 89 

i 


32097 


204.12.192.0/18 


2010- 


01-20 06:07:38 

i 


nsl.sorbauto.com 


204.12.229.89 


32097 


204.12.192.0/18 


2010-01-20 06:07:38 


nsl .theautocompanv.net 


204.12.229.89 


32097 


204.12.192.0/18 


2010-01-26 11:54:12 


nsl .whiskvbrcnd.net 


204. L 2. 229. 89 


32097 


204.12.192.0/18 


2010-01-20 09:36:29 


nsl worldkinofest com 




Threat Mitigation - Zeus 




Estimates of 600,000 victims 

Anti Virus totally ineffective (less 
than 20% detection rates) 

What can be done, and who 
should do it? 



Whack a mole approach 



Security Researchers 

•Identify Fraudulent Domains 
•Identify Associated Nameservers 
•Enumerate Address Space 

Internet Service Providers 

•Shut down web hosting accounts 
•Null route servers 
•Remove DNS records 
•Lock email accounts 
•Preserve evidence for 

Domain Registrars 

•Deregister Domains 

•Lock accounts 

•Remove DNS Glue Records 



Blackhat DC 201 
Whose Internet I 




THE SPAMHAUS PRC 



SURBL 




Deteque' 

TM 





G 9 Daddy .o 



The web 



COM j 



Is your t)Qfti 3rh/® 




nternet Systems 



Consortium 



